On Mon, 24 Dec 2001, Claussen, Ken wrote: > One if this is how the product functions, then the person on the remote end > only has the same "User Privilege" as the person logged on at the console. > If care has been taken in assigning security levels and groups appropriately > (namely not granting "Local Administrator Rights") then this vector of > attack will only be as successful as the person at the console. In other
That's true of any trojan taht doesn't come with an escallation of priv. attack. As a matter of fact- one of the surprising things (to me) about Code Red was that even though it used an Administrator-lvel exploit on IIS, it installed as the IIS user. > Two If you don't trust the people with "Domain Administrator" (The ones who > could do damage on the servers), then you have much larger problems. It is > not possible to trust everyone in the enterprise, but trusting "Domain > Admins" is a must. These are the people who could damage your network by To me, the main issue isn't trust of admins when they're gainfully employed, it's post-employment access- especially these days with all the downsizing going on. > installing and activating this service. The major difference I see between > WebEx and a common Trojan is that most Trojan's will grant the intruder > "Local System" (Local Administrator or Root equivalent) rights regardless of > the currently logged on user. This distinction makes it possible to remove > this "Service" from the classification of "Trojan" in my mind (Personal > Opinion, YMMV). Most trojans (and there are *lots* of them) don't contain escallation of priv. code, since most are meant to run on any Win32 platform. Also, most companies don't do a very good job of applying patches (or we wouldn't see successful worms)- so escallation of priv. is relatively easy after intrusion. > That said, as a security administrator I will be blocking access to any IP > addresses owned or used by WebEx. We have our own support staff and meeting > scheduling systems and therefore do not require any of their services. > Following Jurus Prudence anything which is not needed is blocked. Nothing > personal you understand. This, to me is the key- if vendors aren't going to go the distance to provide some assurance, then the only real alternative is blocking. That's a shame because in the long run both vendors and admins lose. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions [EMAIL PROTECTED] which may have no basis whatsoever in fact." _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
